avahi: Import patches for security fixes
authorHirokazu MORIKAWA <morikw2@gmail.com>
Thu, 8 Jun 2023 05:37:38 +0000 (14:37 +0900)
committerTianling Shen <cnsztl@gmail.com>
Sat, 10 Jun 2023 07:27:10 +0000 (15:27 +0800)
commit9bc26cef1a218fea0d5a6ddc52374f764a46d8b5
treea39014e6baa269478f01fe52504f508636fd4306
parent10a27f92aee3fec84ee1ce28ac30e73d3ff12303
avahi: Import patches for security fixes

Imported patches included in debian and other package.

* 200-Fix-NULL-pointer-crashes-from-175.patch
  CVE-2021-3502
   A flaw was found in avahi 0.8-5. A reachable assertion is present in avahi_s_host_name_resolver_start function allowing a local attacker to crash the avahi service by requesting hostname resolutions through the avahi socket or dbus methods for invalid hostnames. The highest threat from this vulnerability is to the service availability.

* 201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
  CVE-2021-3468
   A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

* 202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch
   avahi_dns_packet_consume_uint32 left shifts uint8_t values by 8, 16 and 24 bits to combine them into a 32-bit value. This produces an undefined behavior warning with gcc -fsanitize when fed input values of 128 or 255 however in testing no actual unexpected behavior occurs in practice and the 32-bit uint32_t is always correctly produced as the final value is immediately stored into a uint32_t and the compiler appears to handle this "correctly".
Cast the intermediate values to uint32_t to prevent this warning and ensure the intended result is explicit.

* 203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
   This was causing timeouts to never be removed from the linked list that tracks them, resulting in both memory and CPU usage to grow larger over time.

* 204-Emit-error-if-requested-service-is-not-found.patch
   It currently just crashes instead of replying with error. Check return
value and emit error instead of passing NULL pointer to reply.

* 205-conf-file-line-lengths.patch
   Allow avahi-daemon.conf file to have lines longer than 256 characters (new limit 1024).

Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
(cherry picked from commit 779af4d40ccdc0f2a798ee6b6849abb37d202f1b)
libs/avahi/Makefile
libs/avahi/patches/200-Fix-NULL-pointer-crashes-from-175.patch [new file with mode: 0644]
libs/avahi/patches/201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch [new file with mode: 0644]
libs/avahi/patches/202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch [new file with mode: 0644]
libs/avahi/patches/203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch [new file with mode: 0644]
libs/avahi/patches/204-Emit-error-if-requested-service-is-not-found.patch [new file with mode: 0644]
libs/avahi/patches/205-conf-file-line-lengths.patch [new file with mode: 0644]